Re: Improving the data supplied by BPF

[Darren Reed <darrenr%netbsd.org@localhost>]

Arnaud Lacombe wrote:
> Hi,
> 
> On Fri, Dec 26, 2008 at 7:43 PM, Jim Wise <jwise%draga.com@localhost> wrote:
>> "Arnaud Lacombe" <lacombar%gmail.com@localhost> writes:
>>> 2^32 1500-bytes packets is about 6TB of data, on 100Mbit link, the
>>> sequence number will wrap after 5.6 days (if you consider
>>> uni-directional traffic), on a 1Gb link, half a day and a bit more
>>> than 1 hour on a 10Gb link. This is the worst case scenario. Two
>>> records taken at the <wrap_time> interval will likely collide on
>>> high-load link.
>> Will they?  Wouldn't you have to not sample for a whole <wrap period>
>> for it not to be immediately obvious that a wraparound had occurred?
>>
> no, think about the case where you set up a low pass filter in tcpdump
> to monitor only some event. In this case, sequence number got consumed
> by high frequency events and the wrap can happen in background.

The filter is applied before the counter increments.

It is a count of packets accepted by the filter.

It is not a count of packets on the NIC unless the filter accepts
all packets on the NIC.

So if your filter was "arp" or "port 67", then if there were
500,000pps of NFS traffic, the counter would not move because
of NFS packets, only because of the ARP or DHCP/BOOTP messages.

Darren